berachain · bar-bera · May 6, 2026 · May 14, 2026 · May 20, 2026
@@ -49,14 +49,14 @@ type GetPendingPartialWithdrawalsRequest struct {
 
 type GetStateValidatorsRequest struct {
 	types.StateIDRequest
-	IDs      []string `query:"id"     validate:"dive,validator_id"`
-	Statuses []string `query:"status" validate:"dive,validator_status"`
+	IDs      []string `query:"id"     validate:"max=1024,dive,validator_id"`
+	Statuses []string `query:"status" validate:"max=16,dive,validator_status"`
 }
 
 type PostStateValidatorsRequest struct {
 	types.StateIDRequest
-	IDs      []string `json:"ids"      validate:"dive,validator_id"`
-	Statuses []string `json:"statuses" validate:"dive,validator_status"`
+	IDs      []string `json:"ids"      validate:"max=1024,dive,validator_id"`
+	Statuses []string `json:"statuses" validate:"max=16,dive,validator_status"`
 }
 
 type GetStateValidatorRequest struct {
@@ -66,12 +66,12 @@ type GetStateValidatorRequest struct {
 
 type GetValidatorBalancesRequest struct {
 	types.StateIDRequest
-	IDs []string `query:"id" validate:"dive,validator_id"`
+	IDs []string `query:"id" validate:"max=1024,dive,validator_id"`
 }
 
 type PostValidatorBalancesRequest struct {
 	types.StateIDRequest
-	IDs []string `json:"-" validate:"dive,validator_id"`
+	IDs []string `json:"-" validate:"max=1024,dive,validator_id"`
 }
 
 type GetStateCommitteesRequest struct {

@@ -69,22 +69,22 @@ func (h *Handler) FilterValidators(height int64, ids []string, statuses []string
 }
 
 type validatorFilters struct {
-	indexes []uint64
-	pubkeys []crypto.BLSPubkey
+	indexes map[uint64]struct{}
+	pubkeys map[crypto.BLSPubkey]struct{}
 }
 
 // parseID attempts to parse a single ID as either a numeric ID or pubkey
 func (f *validatorFilters) parseID(id string) {
 	// Try parsing as numeric ID first
 	if index, err := math.U64FromString(id); err == nil {
-		f.indexes = append(f.indexes, index.Unwrap())
+		f.indexes[index.Unwrap()] = struct{}{}
 		return
 	}
 
 	// Try parsing as pubkey
 	var pubkey crypto.BLSPubkey
 	if err := pubkey.UnmarshalText([]byte(id)); err == nil {
-		f.pubkeys = append(f.pubkeys, pubkey)
+		f.pubkeys[pubkey] = struct{}{}
 	}
 	// We can skip errors here, since they should not happen.
 	// We do validate these ids in ValidateValidatorID.
@@ -93,8 +93,8 @@ func (f *validatorFilters) parseID(id string) {
 // parseValidatorIDs parses a slice of string IDs into numeric IDs and pubkeys
 func parseValidatorIDs(ids []string) *validatorFilters {
 	filters := &validatorFilters{
-		indexes: make([]uint64, 0, len(ids)),
-		pubkeys: make([]crypto.BLSPubkey, 0, len(ids)),
+		indexes: make(map[uint64]struct{}, len(ids)),
+		pubkeys: make(map[crypto.BLSPubkey]struct{}, len(ids)),
 	}
 
 	for _, id := range ids {
@@ -158,13 +158,15 @@ func matchesFilters(validator *consensustypes.Validator, index math.U64, filters
 	return false
 }
 
-func matchesPubkey(validator *consensustypes.Validator, parsedPubkeys []crypto.BLSPubkey) bool {
+func matchesPubkey(validator *consensustypes.Validator, parsedPubkeys map[crypto.BLSPubkey]struct{}) bool {
 	validatorPubkey := validator.GetPubkey()
-	return slices.Contains(parsedPubkeys, validatorPubkey)
+	_, exists := parsedPubkeys[validatorPubkey]
+	return exists
 }
 
-func matchesIndex(index math.U64, ids []uint64) bool {
-	return slices.Contains(ids, index.Unwrap())
+func matchesIndex(index math.U64, ids map[uint64]struct{}) bool {
+	_, exists := ids[index.Unwrap()]
+	return exists
 }
 
 func matchesStatusFilter(status string, statuses []string) bool {

@@ -303,6 +303,30 @@ func TestFilterValidators(t *testing.T) {
 				require.Nil(t, res)
 			},
 		},
+		{
+			name: "rejects requests exceeding max IDs cap",
+			inputs: func() (beacontypes.GetStateValidatorsRequest, beacontypes.PostStateValidatorsRequest) {
+				ids := make([]string, 1025)
+				for i := range ids {
+					ids[i] = strconv.Itoa(i)
+				}
+				return beacontypes.GetStateValidatorsRequest{
+						StateIDRequest: handlertypes.StateIDRequest{StateID: utils.StateIDHead},
+						IDs:            ids,
+					}, beacontypes.PostStateValidatorsRequest{
+						StateIDRequest: handlertypes.StateIDRequest{StateID: utils.StateIDHead},
+						IDs:            ids,
+					}
+			},
+			setMockExpectations: func(_ *mocks.Backend) {
+				// validation rejects before backend is touched
+			},
+			check: func(t *testing.T, res any, err error) {
+				t.Helper()
+				require.ErrorIs(t, err, handlertypes.ErrInvalidRequest)
+				require.Nil(t, res)
+			},
+		},
 	}
 
 	for _, tc := range testCases {